America's military science lab DARPA (the Defense Advanced Research Projects Agency) is now spending $110 million 'to allow those with little or no hacking experience to engage in cyberwarfare', reports the technology website CNET. The goal is to help US military commanders launch cyber attacks 'using preplanned scenarios that do not involve human operators manually typing in code.'
For the moment, set aside debate about how making attacks easy can affect international stability, or whether Australia should build its own cyber weapons. A key question still remains: is simplifying cyberwarfare really a good idea?
'Yes' is a tempting answer. The technology is complex, and custom or artisan tools like Stuxnet are hard to mass produce. More important, according to Jason Healey, 'admirals don't need to understand details of the ballistics of naval weaponry to plan a naval campaign. Similarly, cyber generals do not need to know the intimate details of TCP/IP packets.'
As a result, Healey argues that cyber conflicts resemble more traditional kinds of conflict at the level of international relations, where abstract if not simple lessons about history can prevail.
It is certainly true that traditional theories about international relations can apply to cyber. However, research on technology and national security also shows that serious problems arise when military leaders fail to understand important details about the weapons they might use or face in the field. [fold]
For example, simple but inaccurate assumptions about chemical and biological weapons have hurt military research, development, acquisition, and doctrine for biodefence. By contrast, the US military understands kinetic weapons very well. But it tends to oversimplify and thus conflate issues that don't involve conventional bombs and bullets. This tendency suggests that the risks of simplifying cybersecurity may outweigh the benefits.
I don't argue that the generals in charge of cyber operations need to be master hackers, fueled by Red Bull and Hot Pockets. Deskilling is a common and often desirable phenomenon; it allows us to do more because we need to know less about the nuts and bolts involved. You don’t need to be an auto mechanic to drive a car, and in computer science, higher-level languages like Java and Python allow us to write programs without understanding the 0s and 1s of machine code. So the impetus behind DARPA's 'Plan X' for cyberwar, though ambitious, makes some sense.
Yet avant-garde work by DARPA does not mean that the mainstream military is ready to start simplifying cyber.
Admirals may not need to understand ballistic details to plan a naval campaign, but some admirals came up the ranks as gunnery officers, and they can all draw on a sophisticated body of knowledge about fire control that the Navy has nurtured and refined for generations. It is too soon to assume that the armed services have enough resident expertise in cyber to know which details are decisive. It is far better to grapple with the complexity first.